CVE-2022-41929: Missing Authorization in User#setDisabledStatus in org.xwiki.platform:xwiki-platform-oldcore
First published: Wed Nov 23 2022(Updated: )
org.xwiki.platform:xwiki-platform-oldcore is missing authorization in User#setDisabledStatus, which may allow an incorrectly authorized user with only Script rights to enable or disable a user. This operation is meant to only be available for users with admin rights. This problem has been patched in XWiki 13.10.7, 14.4.2 and 14.5RC1.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Xwiki Xwiki | >11.7<13.10.7 | |
| Xwiki Xwiki | >14.0.0<14.4.2 | |
| Xwiki Xwiki | =11.7-rc1 | |
| Xwiki Xwiki | =14.4.3 | |
| Xwiki Xwiki | =14.4.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/severity
- agent/title
- agent/weakness
- agent/references
- agent/last-modified-date
- agent/first-publish-date
- agent/tags
- agent/description
- agent/event
- vendor/xwiki
- canonical/xwiki xwiki
- version/xwiki xwiki/11.7-rc1
- version/xwiki xwiki/14.4.3
- version/xwiki xwiki/14.4.4